Subject: Re: host + key pairs for known_hosts

Re: host + key pairs for known_hosts

From: Simon Josefsson <simon_at_josefsson.org>
Date: Wed, 06 May 2009 12:12:04 +0200

Tor Arntsen <tor_at_spacetec.no> writes:

> On Wed, May 6, 2009 at 11:54, Daniel Stenberg <daniel_at_haxx.se> wrote:
>
>> Now, this seems to be a description of the known_hosts file currently in use
>> by openssh: http://nms.lcs.mit.edu/projects/ssh/README.hashed-hosts
>>
>> IOW, they no longer store the host name in the plain, but only as a sha-1 hash
>> with a 64bit salt. This will have some impact on how we can do the host + key
>> pairs and check for existing keys.
>
> Hashed or not is a configurable option in openssh (HashKnownHosts no/yes).
> I always turn off hashing because I don't see how I could handle cases
> where the known host updates its key (because I have e.g. reinstalled
> its OS or something). There doesn't seem to be an ssh option to
> override it, and with hashing on I would have to delete the entire
> known_hosts file every time, afaic. With hashing off I just vi the
> file, a quick search, and kill the line.

You don't have to delete the entire file, the error message you get on a
host key mismatch contains the line number in known_hosts. You just
have to remove that line on host os reinstall (plus the line for the IP
address, but the line number for that is also printed).

The reason for hashed known_hosts is automated bots that iterates
through the list to see if it can log in automatically. Without the
hostname in the clear, the bot doesn't know as easily which hosts the
user logs in to.

/Simon

------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
libssh2-devel mailing list
libssh2-devel_at_lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libssh2-devel
Received on 2009-05-06